[DRE-maint] Bug#900283: Bug in redmine 3.3.1-4+deb9u1 CVE-2017-15569.patch

Mon May 28 14:45:18 BST 2018

Package: redmine
Version: 3.3.1-4+deb9u1

Dear Maintainers,

on Thu, 12 Apr 2018 11:33:06 -0300 Debian published a security update for Redmine in version 3.3.1.
This security update includes patch CVE-2017-15569.

https://sources.debian.org/patches/redmine/3.3.1-4+deb9u1/CVE-2017-15569.patch/

I write to report a bug with this patch. Custom fields with multiple values will not be put to a table correctly.
The way I found out was:
Create a tracker, that utilizes a custom field of type list or user and has multiple values allowed.
Create an issue, that has more then one value in that custom field. E.g. two users.
If I then do a query on my project, I get a HTTP-error 500 response and see the following in my logs:

------------------------------------------>8----------------------------------------------------------------------
Completed 500 Internal Server Error in 442ms (ActiveRecord: 84.3ms)

ActionView::Template::Error (undefined local variable or method `item' for #<#<Class:0x00563c5e6eae88>:0x007f128233ed70>):
    28:   <% end %>
    29:   <tr id="issue-<%= issue.id %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %> <%= level > 0 ? "idnt idnt-#{level}" : nil %>">
    30:     <td class="checkbox hide-when-print"><%= check_box_tag("ids[]", issue.id, false, :id => nil) %></td>
    31:     <% query.inline_columns.each do |column| %>
    32:     <%= content_tag('td', column_content(column, issue), :class => column.css_classes) %>
    33:     <% end %>
    34:   </tr>
  app/helpers/queries_helper.rb:132:in `block in column_content'
  app/helpers/queries_helper.rb:132:in `collect'
------------------------------------------8<----------------------------------------------------------------------

Changing the word "item" to "issue" resolves this problem.

I'm using Debian 4.9.88-1 (2018-04-29) x86_64 GNU/Linux with kernel 4.9.0-6-amd64 and libc6 2.24-11+deb9u3.

Please contact us if you have any further questions or would like to have more information.

Kind regards
Frank Hebold

--
Frank Hebold
Auszubildender zum Fachinformatiker (IHK)
HiperScan GmbH
Weißeritzstr. 3
01067 Dresden
Germany

phone +49 351 212 496 20
fax +49 351 212 496 99
mailto: frank.hebold at hiperscan.com
www.hiperscan.com
www.apo-ident.de

HiperScan GmbH, Dresden
commercial register number HRB 24683
local court Dresden
CEOs: Dr. Alexander Wolter, Michael Thoma